US7874012B2ExpiredUtilityA1
Privileged access to encrypted data
Est. expiryAug 18, 2025(expired)· nominal 20-yr term from priority
H04L 2463/101G06F 21/57H04L 2209/603H04L 63/10H04L 9/088G06Q 30/0609H04L 9/083H04L 63/06H04L 63/30H04L 63/104H04L 2209/76H04L 63/0428
51
PatentIndex Score
0
Cited by
5
References
21
Claims
Abstract
Content processing is disclosed. An indication that a sender desires to send encrypted content to a destination is received. An agreement is obtained from the sender to provide an access key to a node other than the destination and to encrypt content sent to the destination using an encryption key selected such that the access key is usable to decrypt the content.
Claims
exact text as granted — not AI-modified1. A method of processing content, comprising:
receiving on a communication interface an indication that a sender desires to send encrypted content to an end user destination; and
obtaining from the sender an agreement to provide an access key to a compliance node other than the end user destination and to encrypt content sent to the end user destination using an encryption key selected such that the access key is usable to decrypt the content, wherein the sender is not the compliance node and the compliance node does not provide the access key to the end user destination.
2. A method as recited in claim 1 , wherein the access key comprises a first access key and a second access key is provided to the destination to enable the destination to decrypt the content.
3. A method as recited in claim 1 , wherein the sender expresses the agreement by providing the access key.
4. A method as recited in claim 1 , wherein the node other than the destination comprises at least one of: a first host that is different than a second host associated with the destination; and a compliance process running at a host associated with the destination.
5. A method as recited in claim 1 , wherein the access key is provided to enable compliance processing of the content.
6. A method as recited in claim 5 , wherein the compliance processing includes performing one or more of the following: controlling the content, indexing the content, searching the content, archiving the content, retrieving the content, displaying the content, rendering the content, analyzing the content, scanning the content, analyzing the content to perform single instance store, analyzing the content for a virus or a malware, and verifying the content complies with one or more rules or regulatory restrictions.
7. A method as recited in claim 1 , wherein the encryption of the content is associated with an access restriction that specifies one or more of the following: one or more users that can access the content, how the content can be used, and when the content can be accessed.
8. A method as recited in claim 1 , wherein the agreement is obtained at least in part through an inter-machine negotiation without human intervention.
9. A method as recited in claim 8 , wherein the negotiation involves a rights management system associated with the sender and a compliance system associated with the destination.
10. A method as recited in claim 1 , wherein the indication is received prior to allowing an end-user recipient of the content to receive, access, or use the content.
11. A method as recited in claim 1 , wherein the indication comprises an attempt by the sender to send the content before the agreement has been obtained.
12. A method as recited in claim 1 , further comprising receiving, in the event the agreement is not obtained, an unrestricted version of the content and one or more restriction rules to be enforced with respect to an end-user recipient of the content.
13. A method as recited in claim 1 , further comprising blocking the content if the agreement is not obtained or the access key is not received.
14. A method as recited in claim 13 , wherein blocking the content includes not allowing an end-user recipient to receive, access, or use the content.
15. A method as recited in claim 13 , wherein blocking the content includes performing one or more of the following: notifying the sender that the content is blocked, and notifying the sender a reason for blocking the content.
16. A method as recited in claim 13 , further comprising placing the content in quarantine for further analysis if the agreement is not obtained or the access key is not received.
17. A method as recited in claim 1 , wherein the agreement includes obtaining the access key from a key server, and the sender agrees to use an encryption key obtained from the key server to encrypt the content.
18. A method as recited in claim 1 , wherein the access key comprises a master key usable to decrypt content capable of being decrypted with any one or more non-master keys associated with the master key.
19. A method as recited in claim 1 , wherein the access key comprises at least one of the following types of access keys:
a temporal specific key that can be used to access content for a specific period of time or a specific elapsed period of time from when the content was created or when the content was first accessed;
a recipient ID specific key that can be used to access content that is sent to a specific individual, group of individuals, and/or domains;
a sender ID specific key that can be used to access content this is sent from a specific individual, group of individuals, and/or domains;
a use count limited key that can be used to access content for a specified number of times;
a content type specific key that can be used to access content of only a specified type; and
an unrestricted key that can be used without restriction to access content associated with the key.
20. A system for processing content, comprising:
a communication interface configured to receive an indication that a sender desires to send encrypted content to an end user destination; and
a processor configured to obtain from the sender an agreement to provide an access key to a compliance node other than the end user destination and to encrypt content sent to the end user destination using an encryption key selected such that the access key is usable to decrypt the content, wherein the sender is not the compliance node and the compliance node does not provide the access key to the end user destination.
21. A computer program product for processing content, the computer program product being embodied in a non-transitory computer readable storage medium storing computer instructions for:
receiving an indication that a sender desires to send encrypted content to an end user destination; and
obtaining from the sender an agreement to provide an access key to a compliance node other than the end user destination and to encrypt content sent to the end user destination using an encryption key selected such that the access key is usable to decrypt the content, wherein the sender is not the compliance node and the compliance node does not provide the access key to the end user destination.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.